{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "283" } ] }, "events": [ { "introduced": "0" }, { "fixed": "04432ad6d3775a2fe84c5c63cae0b430d3539ad8" } ], "repo": "https://github.com/cloudfoundry-attic/cf-release", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "1.46.0" }, { "introduced": "0" }, { "fixed": "1.3.0" } ] }, "events": [ { "introduced": "0" }, { "fixed": "5534906e48bd4a2465d0beef8daa7f23be6b8e89" }, { "introduced": "0" }, { "fixed": "53c2dbe469c52a48b44dc13d102fa928296196ec" } ], "repo": "https://github.com/cloudfoundry/capi-release", "type": "GIT" } ] } ], "details": "In Cloud Controller versions prior to 1.46.0, cf-deployment versions prior to 1.3.0, and cf-release versions prior to 283, Cloud Controller accepts refresh tokens for authentication where access tokens are expected. This exposes a vulnerability where a refresh token that would otherwise be insufficient to obtain an access token, either due to lack of client credentials or revocation, would allow authentication.", "id": "CVE-2018-1195", "modified": "2026-04-01T23:08:55.707561230Z", "published": "2018-03-19T18:29:00.327Z", "references": [ { "type": "ADVISORY", "url": "https://www.cloudfoundry.org/blog/cve-2018-1195/" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ] }